[ https://issues.apache.org/jira/browse/CLOUDSTACK-5355?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sowmya Krishnan closed CLOUDSTACK-5355. --------------------------------------- Verified with cifs > addImageStore should not log password in clear text in the log > -------------------------------------------------------------- > > Key: CLOUDSTACK-5355 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5355 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: API > Affects Versions: 4.2.0 > Reporter: Sowmya Krishnan > Assignee: Min Chen > Priority: Critical > Fix For: 4.3.0 > > > For cifs, addImageStore are currently logging everything including username, > password and domain in clear text in the logs, which are specified in query > parameter url for the image store. > Here's an extract from the logs: (obscured actual pwd) > 2013-11-26 12:03:35,703 DEBUG [c.c.a.ApiServlet] > (catalina-exec-13:ctx-f0723f52) ===START=== 10.104.255.45 – GET > command=addImageStore&response=json&sessionkey=5DGP7gv1vXNaK35rAxfIEi7256o%3D&name=SS1&provider=SMB&zoneid=5a60af2b-3025-4f2a-9ecc-8e33bf2b94e3&url=cifs%3A%2F%2F10.102.192.150%2FSMB-Share%2Fsowmya%2Fsecondary%3Fuser%3Dsowmya%26password%3DXXXXX%40123%26domain%3DBLR&_=1385447356899 > 2013-11-26 12:03:35,741 INFO [o.a.c.s.d.l.CloudStackImageStoreLifeCycleImpl] > (catalina-exec-13:ctx-f0723f52 ctx-547cfc1f) Trying to add a new data store > at > cifs://10.102.192.150/SMB-Share/sowmya/secondary?user=sowmya&password=XXX@123&domain=BLR > to data center 1 > 2013-11-26 12:03:35,776 DEBUG [c.c.u.UriUtils] (catalina-exec-13:ctx-f0723f52 > ctx-547cfc1f) foundUser istrue > 2013-11-26 12:03:35,777 DEBUG [c.c.u.UriUtils] (catalina-exec-13:ctx-f0723f52 > ctx-547cfc1f) foundPswd istrue > 2013-11-26 12:03:36,011 DEBUG [c.c.a.ApiServlet] > (catalina-exec-13:ctx-f0723f52 ctx-547cfc1f) ===END=== 10.104.255.45 – GET > command=addImageStore&response=json&sessionkey=5DGP7gv1vXNaK35rAxfIEi7256o%3D&name=SS1&provider=SMB&zoneid=5a60af2b-3025-4f2a-9ecc-8e33bf2b94e3&url=cifs%3A%2F%2F10.102.192.150%2FSMB-Share%2Fsowmya%2Fsecondary%3Fuser%3Dsowmya%26password%3DXXX%40123%26domain%3DBLR&_=1385447356899 -- This message was sent by Atlassian JIRA (v6.2#6252)